Safeguard
Tag

cosign

Safeguard articles tagged "cosign" — guides, analysis, and best practices for software supply chain and application security.

33 articles

Container Security

Signing Container Images: Cosign, Notary, and Why It Matters

Signing container images cryptographically proves an image came from a trusted build and hasn't been tampered with since — here's how Cosign and Notary do it, and why registries alone can't guarantee that.

Feb 18, 20266 min read
Tools

Kyverno ImageValidatingPolicy 2026: A Production Walkthrough

Kyverno 1.18 ships ImageValidatingPolicy as the new policy type for cosign signature, attestation, and SBOM verification. We migrated a 60-cluster fleet and graded the new model.

Feb 12, 20267 min read
Software Supply Chain Security

Sigstore Rekor Transparency Log Deep Dive 2026

How Rekor actually works in 2026, the trade-offs of the current Merkle tree design, witness diversity, and the operational realities of verifying inclusion at scale.

Feb 4, 20266 min read
Container Security

What is Image Signing

Container image signing binds a cryptographic signature to an image's digest so you can prove what's running is what was actually built — not just scanned.

Feb 1, 20267 min read
Container Security

Cosign for Container Signing: A Production Setup

A working production setup for Cosign image signing across CI, registries, and Kubernetes admission, including the parts that break at scale and how to recover.

Jan 22, 20267 min read
Container Security

Implementing keyless container image signing with Cosign ...

A hands-on guide to Cosign keyless signing GCP setups with Sigstore, Workload Identity Federation, and Cloud Build — sign and verify images with no key management.

Jan 9, 20267 min read
Tools

Cosign v2.6: New Bundle Format and Trusted Root

Sigstore's Cosign v2.6 unlocks offline verification, in-toto statement signing, and trusted-root portability. We walk through the new --new-bundle-format flag end-to-end.

Oct 21, 20255 min read
Engineering

Sigstore Cosign Keyless Signing Explained for Teams

Keyless signing swaps long-lived private keys for ten-minute certificates tied to an OIDC identity. How Fulcio and Rekor work, and how to roll it out without breaking deploys.

Jul 24, 20256 min read
DevSecOps

How to Test Your Signing Pipeline End to End

Build a repeatable end-to-end test harness for your signing pipeline that proves artifacts are signed correctly and that verification fails when tampered.

Apr 10, 20256 min read
DevSecOps

How to Rotate Build Signing Keys Safely

A step-by-step tutorial for rotating Cosign and GPG build signing keys without breaking existing attestations, verification chains, or downstream consumers.

Oct 8, 20246 min read
SBOM & Compliance

Cosign Verification Policies in Production

Writing cosign verification policies that actually pass production deployment gates requires more precision than the examples suggest. Here is what we have learned.

Jul 30, 20246 min read
Container Security

AWS ECR Image Signing in Production

Image signing in ECR has moved from nice-to-have to table stakes. Here is what it actually takes to run cosign and AWS Signer in production without breaking every deploy.

Jul 22, 20247 min read
cosign (Page 2) — Safeguard Blog